Detect users authenticating with Okta to more than 10 unique apps within a 5 minute period. This is meant to detect Discovery or Lateral Movement attempts.
This is being submitted as a hunt since values is still beta and considered risky for performance. A rule version using count_distinct (which loses app details) is being tracked under: #4099
Related rules
4edd3e1a-3aa0-499b-8147-4d2ea43b1613 okta Unauthorized Access to an Okta Application
Target Ruleset
okta
Target Rule Type
ES|QL
Query
from logs-okta*
| where event.action == "user.authentication.sso"
| stats unique_apps = mv_dedupe(values(okta.target_app.display_name)) by user.email
| eval total_apps = mv_count(unique_apps)
| where total_apps > 10
| sort total_apps desc
New fields required in ECS/data sources for this rule?
Description
Detect users authenticating with Okta to more than 10 unique apps within a 5 minute period. This is meant to detect Discovery or Lateral Movement attempts.
This is being submitted as a hunt since
values
is still beta and considered risky for performance. A rule version usingcount_distinct
(which loses app details) is being tracked under: #4099Related rules
Target Ruleset
okta
Target Rule Type
ES|QL
Query
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response